Security Testing of Web Applications for Detecting and Exploiting Second-Order SQL Injection Vulnerabilities

摘要

SQL injection is considered one of the most serious issues affecting web application's security. It occurs when an attacker tries to access the back-end database of web applications by exploiting improper user input validation vulnerabilities. There are two types of SQL injection, namely, first-order SQL injection and second-order SQL injection. Most of the existing research works addressing this issue focus on detecting the first-order SQL injection with a common assumption that preventing first-order injection attack makes web applications secure against other SQL injection attacks. However, second-order injection attacks can occur in applications that are secured against first-order injection attacks. This is a dangerous security problem which can occasionally, lead to dire consequences. In this study, we present our work-in-progress that uses a static taint analysis and symbolic execution approach for detecting second-order SQL injection vulnerabilities. We first use static taint analysis to identify candidate vulnerabilities. Then, we use symbolic execution to generate those input vectors that make the program execution satisfy conditions and confirm the existence of SQL injection vulnerabilities. This is the first technique of which we are aware that generates input vectors that expose second-order SQL injection vulnerabilities. The initial analysis of our proposed approach shows some promising results.